[PATCH 3 of 3] QUIC: TLS_AES_128_CCM_SHA256 cipher suite support
Roman Arutyunyan
arut at nginx.com
Fri Jun 9 07:12:54 UTC 2023
# HG changeset patch
# User Roman Arutyunyan <arut at nginx.com>
# Date 1686292815 -14400
# Fri Jun 09 10:40:15 2023 +0400
# Node ID 91c420191eaa6b8d8bd3dc1447d5e0880f41108f
# Parent 74fa16d2a34a63a83fa76b46a56d8d68d44fa1bf
QUIC: TLS_AES_128_CCM_SHA256 cipher suite support.
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -94,6 +94,15 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic
len = 32;
break;
+#ifndef OPENSSL_IS_BORINGSSL
+ case TLS1_3_CK_AES_128_CCM_SHA256:
+ ciphers->c = EVP_aes_128_ccm();
+ ciphers->hp = EVP_aes_128_ctr();
+ ciphers->d = EVP_sha256();
+ len = 16;
+ break;
+#endif
+
default:
return NGX_ERROR;
}
@@ -393,18 +402,49 @@ ngx_quic_tls_open(const ngx_quic_cipher_
return NGX_ERROR;
}
+ if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
+ && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN,
+ NULL)
+ == 0)
+ {
+ EVP_CIPHER_CTX_free(ctx);
+ ngx_ssl_error(NGX_LOG_INFO, log, 0,
+ "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
+ return NGX_ERROR;
+ }
+
if (EVP_DecryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptInit_ex() failed");
return NGX_ERROR;
}
+ if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
+ && EVP_DecryptUpdate(ctx, NULL, &len, NULL, in->len - NGX_QUIC_TAG_LEN)
+ != 1)
+ {
+ EVP_CIPHER_CTX_free(ctx);
+ ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
+ return NGX_ERROR;
+ }
+
if (EVP_DecryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_DecryptUpdate() failed");
return NGX_ERROR;
}
+ tag = in->data + in->len - NGX_QUIC_TAG_LEN;
+
+ if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag)
+ == 0)
+ {
+ EVP_CIPHER_CTX_free(ctx);
+ ngx_ssl_error(NGX_LOG_INFO, log, 0,
+ "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
+ return NGX_ERROR;
+ }
+
if (EVP_DecryptUpdate(ctx, out->data, &len, in->data,
in->len - NGX_QUIC_TAG_LEN)
!= 1)
@@ -415,16 +455,6 @@ ngx_quic_tls_open(const ngx_quic_cipher_
}
out->len = len;
- tag = in->data + in->len - NGX_QUIC_TAG_LEN;
-
- if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN, tag)
- == 0)
- {
- EVP_CIPHER_CTX_free(ctx);
- ngx_ssl_error(NGX_LOG_INFO, log, 0,
- "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
- return NGX_ERROR;
- }
if (EVP_DecryptFinal_ex(ctx, out->data + len, &len) <= 0) {
EVP_CIPHER_CTX_free(ctx);
@@ -491,12 +521,31 @@ ngx_quic_tls_seal(const ngx_quic_cipher_
return NGX_ERROR;
}
+ if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
+ && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, NGX_QUIC_TAG_LEN,
+ NULL)
+ == 0)
+ {
+ EVP_CIPHER_CTX_free(ctx);
+ ngx_ssl_error(NGX_LOG_INFO, log, 0,
+ "EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed");
+ return NGX_ERROR;
+ }
+
if (EVP_EncryptInit_ex(ctx, NULL, NULL, s->key.data, nonce) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptInit_ex() failed");
return NGX_ERROR;
}
+ if (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE
+ && EVP_EncryptUpdate(ctx, NULL, &len, NULL, in->len) != 1)
+ {
+ EVP_CIPHER_CTX_free(ctx);
+ ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
+ return NGX_ERROR;
+ }
+
if (EVP_EncryptUpdate(ctx, NULL, &len, ad->data, ad->len) != 1) {
EVP_CIPHER_CTX_free(ctx);
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_EncryptUpdate() failed");
diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
--- a/src/event/quic/ngx_event_quic_protection.h
+++ b/src/event/quic/ngx_event_quic_protection.h
@@ -16,7 +16,7 @@
#define NGX_QUIC_ENCRYPTION_LAST ((ssl_encryption_application) + 1)
-/* RFC 5116, 5.1 and RFC 8439, 2.3/2.5 for all supported ciphers */
+/* RFC 5116, 5.1/5.3 and RFC 8439, 2.3/2.5 for all supported ciphers */
#define NGX_QUIC_IV_LEN 12
#define NGX_QUIC_TAG_LEN 16
More information about the nginx-devel
mailing list